Cybersecurity Insurance 2023 Outlook

There’s been a lot of press about cybersecurity insurance in 2022, the main reason being that crimes are up, so payouts were up, and as we all know, insurance companies don’t like to pay (prevention is cheaper for everyone).

The easy outlook first: prices are going up and deductible are going up. Nothing unexpected, the risk is also going up…

The second one may come as a surprise, but it shouldn’t: Your cybersecurity insurance provider may not offer you a renewal. With the risks going up and many payouts getting paid, the insurance providers have started to learn that sometimes it’s just better to say “no”. We’ve seen two primary angles here, some providers are walking away of entire industries (municipalities, hospitals, schools) and most are running away from risky clients [that have not implemented the required control and policies to protect themselves].

Which brings us to the third and most important point: You now have to do the work. It’s been interesting to the see the evolution of cybersecurity contracts over the last 10 years. It used to only contain a single sentence along the lines of “You shall follow best practices”. It then slowly evolved into a checkbox “We are following best practices”. Nowadays, it usually involves multiple pages of questions (we've heard of some renewals having over 50 pages) and constant monitoring of “external factors” through a third-party monitoring service .

So what should you do in order to obtain and maintain cybersecurity insurance at the lowest cost possible? If you’ve read any of our other blogs, the list below should not surprise you:

• Enable Multi Factor Authentication on all cloud services and remote accesses
• Make sure everything is patched all the time (automatic update is a good place to start)
• Use a modern Anti-Malware that will attempt to stop contain threats
• Have good backups (encrypted, air gapped and offsite)
• Train your employees (regular cybersecurity training and phish simulation)
• Have an Cybersecurity Incident Response Plan (CIRP)
• Have an Acceptable Use Policy (if you don’t tell people what they can and cannot do with their computer resources, how do you expect them to know?)

Other things we are starting to see from some insurance providers, they usually do not mandate them, but having some or all may help to reduce your premiums and deductible:

• Zero Trust (or at least some network segmentation): This is an entire chapter on its own, but modeling your environment around Zero Trust  greatly helps to limit the potential impact of a cyber attack.
• Security Operations Center (SOC) or some kind of Managed Detection Response (MDR) service: Timely response is getting to be critical to limit damages. Having someone that is looking and taking action rapidly helps.
• Security Information and Event Management (SIEM): Cyber attacks are getting more complex and the only way to detect some of them is to look at every security event logs. SIEM aggerates all events and correlates them looking for known attack patterns (like Indicator Of Compromise (IOC)).
• Privilege Access Management (PAM): Privileged accounts (admin/root…) are the keys to your kingdom (or queendom (or realm)). A PAM solution helps protect those credentials behind additional security (like two factor, fire check process, approval workflows) and can also help with the management (enforced password rotations) and the logging (ideally into your SIEM).

We would also suggest registering with one of those third-party monitoring service, many allow you to “claim” your company so that you can see your own report and perform the required action, we like SecurityScorecard ). This way you will usually know if something changes before your insurance company calls you. The main issues companies usually have to fix are their emails (you must have SPF, DKIM and DMARC setup) and their website (must enforce https and not have any weak cyphers).

If you’ve read this far, usually one of three things usually happen:

• You have a sigh of relieve, pat yourself or your IT person on the back and know you are doing a good job.
• You see a couple of gaps, you understand the problem, you have a plan, and you’ll get there [soon hopefully].
• You are not really sure, there a lot of things here you don’t understand.

If you selected 3, you should engage with a cybersecurity service provider (may we suggest ALCiT?). If you are a Canadian Small and Medium Business, you may also be eligible for CDAP (Canadian Digital Adoption Program). The program will cover 90% of the assessment cost and provide you with a plan of action. Once you register, you will see ALCiT listed in the marketplace for advisors. We can also help you get registered if you are facing issues with the process (some good tips here ).